Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Password manager maker Dashlan Hackers say they obtained at least a dozen encrypted vaults used to store customer passwords during a cyberattack over the weekend.
Company she said on her website Hackers enforced the company’s two-factor authentication system, giving the hackers access to about 20 customer accounts. By defeating the two-factor mechanism, the hackers were able to download a copy of some customers’ encrypted vaults, which stored their passwords and other sensitive credentials.
Dashlan said Incident page It said there was no evidence that its own systems had been compromised, but it has not yet said how the hackers were able to overcome two-factor security measures in order to access customer accounts. Two-factor is a security feature that protects accounts from being accessed using only a stolen username and password, usually by requiring an additional passcode sent to the account holder’s phone.
“The intent of the attack was to enforce two-factor authentication (2FA) protection to allow the attacker to register new devices on existing user accounts,” Dashlane said. The company said attackers could use bots to “quickly push every possible digital combination into the system, hoping to guess the exact sequence before the short-lived (two-factor) security code expires.”
The company said it had “taken steps to mitigate the risks of future accidents,” without specifying what they were.
Dashlane said it informed the 20 or so customers that their crypto vaults had been stolen. It’s not yet clear whether specific customers were targeted for a reason, such as who they are or what they do for a living.
Dashlane spokespeople did not respond to a request for comment. The company did not say whether it knew who targeted its customers, or whether the hackers contacted Dashlane with a ransom demand, such as ransomware.
Stolen vaults are encrypted and cannot be read without the customer’s master password, which only the customer knows and is not uploaded to Dashlane in plain text. The company website says. But Dashlane said customers with a master password that’s easy to guess may be more at risk of it being guessed and their password vaults being decrypted.
Data breaches affecting password management companies are rare but can have lasting consequences.
In 2022, LastPass confirmed this Customer password backups were stolen During a cyber attack. Although the vaults were protected with passwords known only to the customer, the password requirements for early customers were much weaker than the later standard, allowing hackers to use brute force and easily guess the passwords to some customers’ vaults. there Several reports have been made From hackers Stealing huge amounts of customers’ cryptocurrenciesmost likely using private keys stored in stolen LastPass vaults whose master passwords were compromised after the hack.
A year ago, Australian software company Click Studios warned all its customers using its main password manager, Password, to “Reset all credentials” After hackers compromised its software update mechanism to plant malware on customer systems.
When you make a purchase through the links in our articles, We may earn a small commission. This does not affect our editorial independence.
